Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Msn Trojan Removal


  • This topic is locked This topic is locked
15 replies to this topic

#1 spillo9

spillo9

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 04 November 2006 - 08:34 AM

Hello, every time I begin conversation with a contact of MSN Messenger,
it appears from my contact this phrase "Da uma olhada nas fotos dessa festa",
with a link to a ZIP file.

I read this is a MSN trojan.

How can I remove? Please help me!!!!!!

I write my HijackThis report:

Logfile of HijackThis v1.99.1
Scan saved at 14.26.38, on 04/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
C:\Programmi\Norton Internet Security\ISSVC.exe
C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Toshiba\Toshiba Applet\thotkey.exe
C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programmi\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Programmi\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\File comuni\Symantec Shared\ccApp.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\QuickTime\qttask.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\icpldrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programmi\Google\Google Talk\googletalk.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\Mozilla Thunderbird\thunderbird.exe
C:\Programmi\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Programmi\totalcmd\TOTALCMD.EXE
C:\tempor\HijackThis.exe
C:\Programmi\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Toolbar Suite\TB\02.05.0000.1082\it-it\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Toolbar Suite\TB\02.05.0000.1082\it-it\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [THotkey] C:\Programmi\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [Tvs] C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Programmi\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programmi\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] "C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Avg Antivirus] C:\WINDOWS\system32\icpldrvx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [googletalk] "C:\Programmi\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Programmi\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Programmi\MSN Toolbar Suite\DS\02.05.0001.1119\it-it\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Programmi\MSN Toolbar Suite\TB\02.05.0000.1082\it-it\msntb.dll/search.htm
O8 - Extra context menu item: Apri in nuova scheda in primo piano - res://C:\Programmi\MSN Toolbar Suite\TAB\02.05.0001.1119\it-it\msntabres.dll/230?91351616ad534ccf90bb858fef25fcea
O8 - Extra context menu item: Apri in nuova scheda in secondo piano - res://C:\Programmi\MSN Toolbar Suite\TAB\02.05.0001.1119\it-it\msntabres.dll/229?91351616ad534ccf90bb858fef25fcea
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} (PIXACO Drag and Drop upload plugin) - http://www.pixaco.it/static/download/pixacodndupload.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Programmi\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Servizio Auto-Protect di Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Programmi\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Utilitą di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:18 PM

Posted 04 November 2006 - 12:45 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Please download AVG Anti-Spyware and save the file to your desktop.
This is a free 30 day trial version of the program.
  • Locate the icon on your desktop and double click it to open the set-up program.
  • Follow the instructions on screen to install Ewido.
  • Run the program and you will meet the main screen.
  • Select the icon "Update" then select the "Update now" link
  • Next click the "Start Update" button; a progress bar will show the updates being installed.
  • Now select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Click on "Recommended actions" and then select "Quarantine".
  • Close the program now, we will be running a scan a bit later.
Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the folHello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.dulowing if still present:

O4 - HKLM\..\Run: [Avg Antivirus] C:\WINDOWS\system32\icpldrvx.exe

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\system32\icpldrvx.exe

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say No.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

Launch AVG antispyware by double clicking on the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab.
  • Then click on the "Complete System Scan" button.
  • If you have any infections you will be asked for an action - select "apply all actions".
  • Now select the "Reports" icon at the top.
  • Click "Save Report As" and save the text file to your desktop.
  • Close AVG antispyware and reboot back into normal mode.
Please post the results of the AVG antispyware scan in this thread.
David

#3 spillo9

spillo9
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 07 November 2006 - 05:43 PM

Hello David,
I made all the procedure you wrote in your post.

I attach the AVG-AntiSpyware report at the bottom of my reply.

I would like to know if I am now safe from malware and
what I can do to free my PC from this malware.

I will verify in MSN Messenger if some problems remain.

I wait your reply. Many thanks.

======================================
+ Created at: 23.31.15 07/11/2006

+ Scan result:



C:\Programmi\File comuni\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\Programmi\Toshiba Connect\InstID.exe -> Dialer.InterDialer.a : Cleaned with backup (quarantined).
C:\Programmi\Toshiba Connect\Interdialer.exe -> Dialer.InterDialer.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3C018861-145D-40A6-A95C-80499D077B6C}\RP149\A0013341.exe -> Logger.Banker.byu : Cleaned with backup (quarantined).
C:\mp3\mp3.zip/WinISO v5.3 patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\mp3\mp3.zip/WinISO_v5.3_Patch_by_ShaDoW.zip/WinISO v5.3 patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).


::Report end

=====================================

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:18 PM

Posted 07 November 2006 - 05:59 PM

Hey there, and good job with the scans.
I also need to see a new Hijackthis log, but please complete this also:

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#5 spillo9

spillo9
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 08 November 2006 - 03:21 PM

Hello David, how are you?

I first launched "Combofix" like you said, and after an
other time HijackThis

I append you the reports generated by the 2 programs.

====================================
combofix.txt
====================================
alessandro - 06-11-08 21.01.41,56 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Programmi\Hijackthis"

((((((((((((((((((((((((((((((( Files Created from 2006-10-08 to 2006-11-08 ))))))))))))))))))))))))))))))))))


2006-11-07 20:53 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-05 15:11 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-11-05 15:11 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-11-05 15:11 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-11-05 15:11 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-11-05 15:11 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-11-05 15:11 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-11-05 15:11 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-11-04 11:11 98 --a------ C:\fx.reg


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-08 21:01 -------- d-------- C:\Programmi\Hijackthis
2006-11-08 20:58 -------- d-------- C:\Programmi\Mozilla Firefox
2006-11-08 18:16 -------- d-------- C:\Programmi\Mozilla Thunderbird
2006-11-08 18:14 -------- d-------- C:\Programmi\AVG Anti-Spyware 7.5
2006-11-05 18:05 -------- d-------- C:\Programmi\DC++
2006-11-05 16:09 -------- d-------- C:\Programmi\File comuni
2006-11-05 16:00 -------- d-------- C:\Programmi\Avast4
2006-11-04 14:34 -------- d-------- C:\Programmi\PicSizer
2006-11-04 10:49 -------- d-------- C:\Programmi\MSN Messenger
2006-11-02 20:42 -------- d-------- C:\Programmi\Paint Shop Pro 5
2006-10-29 17:32 -------- d-------- C:\Programmi\TVU Player
2006-10-22 11:20 -------- d-------- C:\Programmi\Winamp
2006-10-20 21:37 -------- d-------- C:\Programmi\HTML Builder
2006-09-13 06:03 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 16:51 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 13:26 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 12:59 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"TOSCDSPD"="C:\\Programmi\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"
"googletalk"="\"C:\\Programmi\\Google\\Google Talk\\googletalk.exe\" /autostart"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Programmi\\File comuni\\Ahead\\lib\\NMBgMonitor.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Programmi\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SynTPLpr"="C:\\Programmi\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Programmi\\Synaptics\\SynTP\\SynTPEnh.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"THotkey"="C:\\Programmi\\Toshiba\\Toshiba Applet\\thotkey.exe"
"Tvs"="C:\\Programmi\\TOSHIBA\\Tvs\\TvsTray.exe"
"TPSMain"="TPSMain.exe"
"NDSTray.exe"="NDSTray.exe"
"SmoothView"="C:\\Programmi\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"PadTouch"="C:\\Programmi\\TOSHIBA\\Touch and Launch\\PadExe.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"TkBellExe"="\"C:\\Programmi\\File comuni\\Real\\Update_OB\\realsched.exe\" -osboot"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AnyDVD"="\"C:\\Programmi\\SlySoft\\AnyDVD\\AnyDVD.exe\""
"QuickTime Task"="\"C:\\Programmi\\QuickTime\\qttask.exe\" -atboottime"
"avast!"="C:\\PROGRA~1\\Avast4\\ashDisp.exe"
"!AVG Anti-Spyware"="\"C:\\Programmi\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Pagina iniziale corrente"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precaricatore Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon di cache delle categorie di componenti"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061107-205715-252
O4 - HKLM\..\Run: [Avg Antivirus] C:\WINDOWS\system32\icpldrvx.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Promemoria registrazione 1.job
C:\WINDOWS\tasks\Promemoria registrazione 2.job
C:\WINDOWS\tasks\Promemoria registrazione 3.job

Completion time: 06-11-08 21:02:19.95
C:\ComboFix.txt ... 06-11-08 21:02




========================================
Hijackthis.log
========================================
Logfile of HijackThis v1.99.1
Scan saved at 21.03.18, on 08/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\Avast4\aswUpdSv.exe
C:\Programmi\Avast4\ashServ.exe
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Toshiba\Toshiba Applet\thotkey.exe
C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programmi\TOSHIBA\ConfigFree\NDSTray.exe
C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Programmi\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\QuickTime\qttask.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Programmi\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programmi\Google\Google Talk\googletalk.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Programmi\Avast4\ashMaiSv.exe
C:\Programmi\Avast4\ashWebSv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\totalcmd\TOTALCMD.EXE
C:\Programmi\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Toolbar Suite\TB\02.05.0000.1082\it-it\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Toolbar Suite\TB\02.05.0000.1082\it-it\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [THotkey] C:\Programmi\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [Tvs] C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Programmi\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] "C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [googletalk] "C:\Programmi\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Programmi\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Programmi\MSN Toolbar Suite\DS\02.05.0001.1119\it-it\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Programmi\MSN Toolbar Suite\TB\02.05.0000.1082\it-it\msntb.dll/search.htm
O8 - Extra context menu item: Apri in nuova scheda in primo piano - res://C:\Programmi\MSN Toolbar Suite\TAB\02.05.0001.1119\it-it\msntabres.dll/230?91351616ad534ccf90bb858fef25fcea
O8 - Extra context menu item: Apri in nuova scheda in secondo piano - res://C:\Programmi\MSN Toolbar Suite\TAB\02.05.0001.1119\it-it\msntabres.dll/229?91351616ad534ccf90bb858fef25fcea
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} (PIXACO Drag and Drop upload plugin) - http://www.pixaco.it/static/download/pixacodndupload.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Programmi\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Utilitą di pianificazione di LiveUpdate automatico - Unknown owner - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)



I ask you 2 questions telling you that the infection in MSN Messenger seeems to be removed:

1) Do you think I am free from all kind of malware?

2) Do you advice me to buy a license of AVG Anti-Spyware?
Does it offer a good protection against external threats.
I read AVG Anti-Spyware is compatible with my current antivirus program,
which is Avast.

I wait your answers.....

Many thanks, spillo9.

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:18 PM

Posted 08 November 2006 - 05:53 PM

Hey spillo9.

The two logs you posted are free of malware, which is a very positive sign.
However I want to run one last scan, just to make sure that we've got everything.
I would most certainly recommend you buy a subscription to AVG anti-spyware.
In my opinion it is one of the best around, and it's a good price.

The program is definitely compatible with Avast.
You shouldn't have any conflicts there.

Another anti-malware tool you might consider is Spysweeper.
This is an equally reputable program, that I would also recommend.

Let's finish with the Hijackthis log now.
Open the Hijackthis program.
Click on Open Misc Tools Section.
Click on the backups tab at the top.
Click the button "Delete All", this will delete infected backups.

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

Also let me know how the PC is running.
David

#7 spillo9

spillo9
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 11 November 2006 - 05:09 AM

Hello David, I made the on-line scan with Kaspersky
as you indicated.

This scan showed 3 viruses or worm, I don't know if they are dangerous
and I don't know how can I remove them, beacuse Avast
didn't find them.
These worms are in e-mail backup, so I would like to still use
these files.

I attach you the 2 reports:

==========================
Kaspersky
==========================
*KASPERSKY ONLINE SCANNER REPORT*
Friday, November 10, 2006 12:03:32 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2
(Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/11/2006
Kaspersky Anti-Virus database records: 226012

*Scan Settings*
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
*Scan Target* My Computer
C:\
D:\
*Scan Statistics*
Total number of scanned objects 71300
Number of viruses found 3
Number of infected objects 25 / 0
Number of suspicious objects 0
Duration of the scan process 01:07:22


*Infected Object Name* *Virus Name* *Last Action*
C:\alink\Mail\split.it\oldsplitinbox/[From "Tiziana Gelardi" ][Date Thu,
12 Oct 2000 11:27:41 +0200]/text/[From "Wintic.it" ][Date Sun, 20 Apr
2003 11:53:52 +0200]/UNNAMED/[From <190.it@mail.vodafone.it>][Date Fri,
6 Jun 2003 17:45:17 +0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun,
15 Jun 2003 17:34:32 +0200]/UNNAMED/[From "R.E.M." ][Date ... /[From
"Agriturismo ... /[From ][Date Mon, 30 Jun 2003 14:56:58 +0200]/Matrix
Infected: Email-Worm.Win32.Tanatos.b.dam skipped
C:\alink\Mail\split.it\oldsplitinbox/[From "Tiziana Gelardi" ][Date Thu,
12 Oct 2000 11:27:41 +0200]/text/[From "Wintic.it" ][Date Sun, 20 Apr
2003 11:53:52 +0200]/UNNAMED/[From <190.it@mail.vodafone.it>][Date Fri,
6 Jun 2003 17:45:17 +0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun,
15 Jun 2003 17:34:32 +0200]/UNNAMED/[From "R.E.M." ][Date ... /[ ...
/[From Rosalb ... ... /Accrediti Cernobbio.jpg .scr Infected:
Email-Worm.Win32.Tanatos.e skipped
C:\alink\Mail\split.it\oldsplitinbox/[From "Tiziana Gelardi" ][Date Thu,
12 Oct 2000 11:27:41 +0200]/text/[From "Wintic.it" ][Date Sun, 20 Apr
2003 11:53:52 +0200]/UNNAMED/[From <190.it@mail.vodafone.it>][Date Fri,
6 Jun 2003 17:45:17 +0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun,
15 Jun 2003 17:34:32 +0200]/UNNAMED/[From "R.E.M." ][Date ... /[ ...
/[From Rosalb ... /[From "Cfn" ][Date Tue, 27 Apr 2004 14:27:50
+0200]/UNNAMED Infected: Email-Worm.Win32.Tanatos.e skipped
C:\alink\Mail\split.it\oldsplitinbox/[From "Tiziana Gelardi" ][Date Thu,
12 Oct 2000 11:27:41 +0200]/text/[From "Wintic.it" ][Date Sun, 20 Apr
2003 11:53:52 +0200]/UNNAMED/[From <190.it@mail.vodafone.it>][Date Fri,
6 Jun 2003 17:45:17 +0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun,
15 Jun 2003 17:34:32 +0200]/UNNAMED/[From "R.E.M." ][Date ... /[ ...
/[From Rosalba e Massimo ][Date Thu, 04 Mar 2004 10:05:38 +0100]/text
Infected: Email-Worm.Win32.Tanatos.e skipped
C:\alink\Mail\split.it\oldsplitinbox/[From "Tiziana Gelardi" ][Date Thu,
12 Oct 2000 11:27:41 +0200]/text/[From "Wintic.it" ][Date Sun, 20 Apr
2003 11:53:52 +0200]/UNNAMED/[From <190.it@mail.vodafone.it>][Date Fri,
6 Jun 2003 17:45:17 +0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun,
15 Jun 2003 17:34:32 +0200]/UNNAMED/[From "R.E.M." ][Date ... /[From ...
/[From servizioclientibol@mondadori.it][Date Thu, 11 Dec 2003 14:24:09
+0100 (CET)]/text Infected: Email-Worm.Win32.Tanatos.e skipped
C:\alink\Mail\split.it\oldsplitinbox/[From "Tiziana Gelardi" ][Date Thu,
12 Oct 2000 11:27:41 +0200]/text/[From "Wintic.it" ][Date Sun, 20 Apr
2003 11:53:52 +0200]/UNNAMED/[From <190.it@mail.vodafone.it>][Date Fri,
6 Jun 2003 17:45:17 +0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun,
15 Jun 2003 17:34:32 +0200]/UNNAMED/[From "R.E.M." ][Date ... /[From
"Agriturismoalba" ][Date Tue, 24 Jun 2003 20:07:53 +0200]/text
Infected: Email-Worm.Win32.Tanatos.e skipped
C:\alink\Mail\split.it\oldsplitinbox/[From "Tiziana Gelardi" ][Date Thu,
12 Oct 2000 11:27:41 +0200]/text/[From "Wintic.it" ][Date Sun, 20 Apr
2003 11:53:52 +0200]/UNNAMED/[From <190.it@mail.vodafone.it>][Date Fri,
6 Jun 2003 17:45:17 +0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun,
15 Jun 2003 17:34:32 +0200]/UNNAMED/[From "R.E.M." ][Date Fri, 20 Jun
2003 21:21:00 -0400]/UNNAMED Infected: Email-Worm.Win32.Tanatos.e skipped
C:\alink\Mail\split.it\oldsplitinbox/[From "Tiziana Gelardi" ][Date Thu,
12 Oct 2000 11:27:41 +0200]/text/[From "Wintic.it" ][Date Sun, 20 Apr
2003 11:53:52 +0200]/UNNAMED/[From <190.it@mail.vodafone.it>][Date Fri,
6 Jun 2003 17:45:17 +0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun,
15 Jun 2003 17:34:32 +0200]/UNNAMED Infected:
Email-Worm.Win32.Tanatos.e skipped
C:\alink\Mail\split.it\oldsplitinbox/[From "Tiziana Gelardi" ][Date Thu,
12 Oct 2000 11:27:41 +0200]/text/[From "Wintic.it" ][Date Sun, 20 Apr
2003 11:53:52 +0200]/UNNAMED/[From <190.it@mail.vodafone.it>][Date Fri,
6 Jun 2003 17:45:17 +0200]/UNNAMED Infected:
Email-Worm.Win32.Tanatos.e skipped
C:\alink\Mail\split.it\oldsplitinbox/[From "Tiziana Gelardi" ][Date Thu,
12 Oct 2000 11:27:41 +0200]/text/[From "Wintic.it" ][Date Sun, 20 Apr
2003 11:53:52 +0200]/UNNAMED Infected: Email-Worm.Win32.Tanatos.e skipped
C:\alink\Mail\split.it\oldsplitinbox/[From "Tiziana Gelardi" ][Date Thu,
12 Oct 2000 11:27:41 +0200]/text Infected: Email-Worm.Win32.Tanatos.e
skipped
C:\alink\Mail\split.it\oldsplitinbox Mail Berkeley mbox: infected -
11 skipped
C:\Documents and Settings\alessandro\Cookies\index.dat Object is
locked skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Mozilla\Firefox\Profiles\ln5eu8ni.default\cert8.db Object
is locked skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Mozilla\Firefox\Profiles\ln5eu8ni.default\history.dat
Object is locked skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Mozilla\Firefox\Profiles\ln5eu8ni.default\key3.db Object
is locked skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Mozilla\Firefox\Profiles\ln5eu8ni.default\parent.lock
Object is locked skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Mozilla\Firefox\Profiles\ln5eu8ni.default\search.sqlite
Object is locked skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Mozilla\Firefox\Profiles\ln5eu8ni.default\urlclassifier2.sqlite
Object is locked skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Thunderbird\Profiles\dfiuotmb.default\Mail\split.it\oldsplitinbox/[From
"Tiziana Gelardi" ][Date Thu, 12 Oct 2000 11:27:41 +0200]/text/[From
"Wintic.it" ][Date Sun, 20 Apr 2003 11:53:52 +0200]/UNNAMED/[From
<190.it@mail.vodafone.it>][Date Fri, 6 Jun 2003 17:45:17
+0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun, 15 Jun 2003 17:34:32
+0200]/UNNAMED/[From "R.E.M." ][Date ... /[From "Agriturismo ... /[From
][Date Mon, 30 Jun 2003 14:56:58 +0200]/Matrix Infected:
Email-Worm.Win32.Tanatos.b.dam skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Thunderbird\Profiles\dfiuotmb.default\Mail\split.it\oldsplitinbox/[From
"Tiziana Gelardi" ][Date Thu, 12 Oct 2000 11:27:41 +0200]/text/[From
"Wintic.it" ][Date Sun, 20 Apr 2003 11:53:52 +0200]/UNNAMED/[From
<190.it@mail.vodafone.it>][Date Fri, 6 Jun 2003 17:45:17
+0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun, 15 Jun 2003 17:34:32
+0200]/UNNAMED/[From "R.E.M." ][Date ... /[ ... /[From Rosalb ... ...
/Accrediti Cernobbio.jpg .scr Infected: Email-Worm.Win32.Tanatos.e
skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Thunderbird\Profiles\dfiuotmb.default\Mail\split.it\oldsplitinbox/[From
"Tiziana Gelardi" ][Date Thu, 12 Oct 2000 11:27:41 +0200]/text/[From
"Wintic.it" ][Date Sun, 20 Apr 2003 11:53:52 +0200]/UNNAMED/[From
<190.it@mail.vodafone.it>][Date Fri, 6 Jun 2003 17:45:17
+0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun, 15 Jun 2003 17:34:32
+0200]/UNNAMED/[From "R.E.M." ][Date ... /[ ... /[From Rosalb ... /[From
"Cfn" ][Date Tue, 27 Apr 2004 14:27:50 +0200]/UNNAMED Infected:
Email-Worm.Win32.Tanatos.e skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Thunderbird\Profiles\dfiuotmb.default\Mail\split.it\oldsplitinbox/[From
"Tiziana Gelardi" ][Date Thu, 12 Oct 2000 11:27:41 +0200]/text/[From
"Wintic.it" ][Date Sun, 20 Apr 2003 11:53:52 +0200]/UNNAMED/[From
<190.it@mail.vodafone.it>][Date Fri, 6 Jun 2003 17:45:17
+0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun, 15 Jun 2003 17:34:32
+0200]/UNNAMED/[From "R.E.M." ][Date ... /[ ... /[From Rosalba e Massimo
][Date Thu, 04 Mar 2004 10:05:38 +0100]/text Infected:
Email-Worm.Win32.Tanatos.e skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Thunderbird\Profiles\dfiuotmb.default\Mail\split.it\oldsplitinbox/[From
"Tiziana Gelardi" ][Date Thu, 12 Oct 2000 11:27:41 +0200]/text/[From
"Wintic.it" ][Date Sun, 20 Apr 2003 11:53:52 +0200]/UNNAMED/[From
<190.it@mail.vodafone.it>][Date Fri, 6 Jun 2003 17:45:17
+0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun, 15 Jun 2003 17:34:32
+0200]/UNNAMED/[From "R.E.M." ][Date ... /[From ... /[From
servizioclientibol@mondadori.it][Date Thu, 11 Dec 2003 14:24:09 +0100
(CET)]/text Infected: Email-Worm.Win32.Tanatos.e skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Thunderbird\Profiles\dfiuotmb.default\Mail\split.it\oldsplitinbox/[From
"Tiziana Gelardi" ][Date Thu, 12 Oct 2000 11:27:41 +0200]/text/[From
"Wintic.it" ][Date Sun, 20 Apr 2003 11:53:52 +0200]/UNNAMED/[From
<190.it@mail.vodafone.it>][Date Fri, 6 Jun 2003 17:45:17
+0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun, 15 Jun 2003 17:34:32
+0200]/UNNAMED/[From "R.E.M." ][Date ... /[From "Agriturismoalba" ][Date
Tue, 24 Jun 2003 20:07:53 +0200]/text Infected:
Email-Worm.Win32.Tanatos.e skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Thunderbird\Profiles\dfiuotmb.default\Mail\split.it\oldsplitinbox/[From
"Tiziana Gelardi" ][Date Thu, 12 Oct 2000 11:27:41 +0200]/text/[From
"Wintic.it" ][Date Sun, 20 Apr 2003 11:53:52 +0200]/UNNAMED/[From
<190.it@mail.vodafone.it>][Date Fri, 6 Jun 2003 17:45:17
+0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun, 15 Jun 2003 17:34:32
+0200]/UNNAMED/[From "R.E.M." ][Date Fri, 20 Jun 2003 21:21:00
-0400]/UNNAMED Infected: Email-Worm.Win32.Tanatos.e skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Thunderbird\Profiles\dfiuotmb.default\Mail\split.it\oldsplitinbox/[From
"Tiziana Gelardi" ][Date Thu, 12 Oct 2000 11:27:41 +0200]/text/[From
"Wintic.it" ][Date Sun, 20 Apr 2003 11:53:52 +0200]/UNNAMED/[From
<190.it@mail.vodafone.it>][Date Fri, 6 Jun 2003 17:45:17
+0200]/UNNAMED/[From Rosalba e Massimo ][Date Sun, 15 Jun 2003 17:34:32
+0200]/UNNAMED Infected: Email-Worm.Win32.Tanatos.e skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Thunderbird\Profiles\dfiuotmb.default\Mail\split.it\oldsplitinbox/[From
"Tiziana Gelardi" ][Date Thu, 12 Oct 2000 11:27:41 +0200]/text/[From
"Wintic.it" ][Date Sun, 20 Apr 2003 11:53:52 +0200]/UNNAMED/[From
<190.it@mail.vodafone.it>][Date Fri, 6 Jun 2003 17:45:17
+0200]/UNNAMED Infected: Email-Worm.Win32.Tanatos.e skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Thunderbird\Profiles\dfiuotmb.default\Mail\split.it\oldsplitinbox/[From
"Tiziana Gelardi" ][Date Thu, 12 Oct 2000 11:27:41 +0200]/text/[From
"Wintic.it" ][Date Sun, 20 Apr 2003 11:53:52 +0200]/UNNAMED Infected:
Email-Worm.Win32.Tanatos.e skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Thunderbird\Profiles\dfiuotmb.default\Mail\split.it\oldsplitinbox/[From
"Tiziana Gelardi" ][Date Thu, 12 Oct 2000 11:27:41 +0200]/text
Infected: Email-Worm.Win32.Tanatos.e skipped
C:\Documents and Settings\alessandro\Dati
applicazioni\Thunderbird\Profiles\dfiuotmb.default\Mail\split.it\oldsplitinbox
Mail Berkeley mbox: infected - 11 skipped
C:\Documents and Settings\alessandro\Impostazioni
locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\alessandro\Impostazioni locali\Dati
applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\alessandro\Impostazioni locali\Dati
applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\alessandro\Impostazioni locali\Dati
applicazioni\Mozilla\Firefox\Profiles\ln5eu8ni.default\Cache\_CACHE_001_
Object is locked skipped
C:\Documents and Settings\alessandro\Impostazioni locali\Dati
applicazioni\Mozilla\Firefox\Profiles\ln5eu8ni.default\Cache\_CACHE_002_
Object is locked skipped
C:\Documents and Settings\alessandro\Impostazioni locali\Dati
applicazioni\Mozilla\Firefox\Profiles\ln5eu8ni.default\Cache\_CACHE_003_
Object is locked skipped
C:\Documents and Settings\alessandro\Impostazioni locali\Dati
applicazioni\Mozilla\Firefox\Profiles\ln5eu8ni.default\Cache\_CACHE_MAP_
Object is locked skipped
C:\Documents and Settings\alessandro\Impostazioni
locali\Temp\Perflib_Perfdata_e34.dat Object is locked skipped
C:\Documents and Settings\alessandro\Impostazioni locali\Temporary
Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\alessandro\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\alessandro\ntuser.dat.LOG Object is locked
skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is
locked skipped
C:\Documents and Settings\LocalService\Impostazioni
locali\Cronologia\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati
applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Dati
applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Impostazioni locali\Temporary
Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked
skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is
locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati
applicazioni\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Impostazioni locali\Dati
applicazioni\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked
skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is
locked skipped
C:\Programmi\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Programmi\Avast4\DATA\Avast4.db Object is locked skipped
C:\Programmi\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Programmi\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Programmi\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Programmi\Avast4\DATA\report\Protezione residente.txt Object is
locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is
locked skipped
C:\System Volume
Information\_restore{3C018861-145D-40A6-A95C-80499D077B6C}\RP148\A0012932.scr
Infected: Trojan-Downloader.Win32.Banload.ayx skipped
C:\System Volume
Information\_restore{3C018861-145D-40A6-A95C-80499D077B6C}\RP151\change.log
Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked
skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6c4.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
*Scan process completed.*



========================
Hijack this
========================
Logfile of HijackThis v1.99.1
Scan saved at 0.04.30, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Avast4\aswUpdSv.exe
C:\Programmi\Avast4\ashServ.exe
C:\Programmi\AVG Anti-Spyware 7.5\guard.exe
C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Programmi\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Programmi\Avast4\ashMaiSv.exe
C:\Programmi\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programmi\Toshiba\Toshiba Applet\thotkey.exe
C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Programmi\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Programmi\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\Programmi\QuickTime\qttask.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Programmi\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Programmi\Google\Google Talk\googletalk.exe
C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe
C:\Programmi\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\mdm.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.it/0SEITIT/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Toolbar Suite\TB\02.05.0000.1082\it-it\msntb.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programmi\MSN Toolbar Suite\TB\02.05.0000.1082\it-it\msntb.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [THotkey] C:\Programmi\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [Tvs] C:\Programmi\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programmi\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [PadTouch] C:\Programmi\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AnyDVD] "C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Programmi\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [googletalk] "C:\Programmi\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmi\File comuni\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Programmi\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Programmi\MSN Toolbar Suite\DS\02.05.0001.1119\it-it\bin\WindowsSearch.exe
O8 - Extra context menu item: &MSN Search - res://C:\Programmi\MSN Toolbar Suite\TB\02.05.0000.1082\it-it\msntb.dll/search.htm
O8 - Extra context menu item: Apri in nuova scheda in primo piano - res://C:\Programmi\MSN Toolbar Suite\TAB\02.05.0001.1119\it-it\msntabres.dll/230?91351616ad534ccf90bb858fef25fcea
O8 - Extra context menu item: Apri in nuova scheda in secondo piano - res://C:\Programmi\MSN Toolbar Suite\TAB\02.05.0001.1119\it-it\msntabres.dll/229?91351616ad534ccf90bb858fef25fcea
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Ricerche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programmi\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {2EF3FB47-7B1E-4536-BA4D-51427BD45DFA} (PIXACO Drag and Drop upload plugin) - http://www.pixaco.it/static/download/pixacodndupload.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programmi\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programmi\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmi\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmi\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programmi\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Programmi\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: Utilitą di pianificazione di LiveUpdate automatico - Unknown owner - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)




Dear David, I hope we can solve this little problems,
becuase, on the other side, the PC seems to go well
without problems.

Bye, spillo9.

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:18 PM

Posted 12 November 2006 - 04:09 PM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

We need to purge your infected system restore points.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Now, we want to create a new, clean restore point.
Please first reboot your computer.
Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create and you're done.

As discussed in chat, you have a number of infected emails.
I recommend you go through and delete any unkown emails in your Thunderbird archives.
Also have a look in your old alink mail folders as there are infected emails lurking there too.

Reboot a final time and let me know how the PC is running.
David

#9 spillo9

spillo9
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 13 November 2006 - 01:34 PM

Hello David, I made this procedure you described.

Then, I launched Kaspersky to see if there were remaining infections:
it remained the 2 e-mail infections, but it went away the infection
regarding the restore points, so I hope to have made correctly
your procedure.

It was a too long task to selectively eliminate the suspicioned e-mails,
so I decided to eliminate my e-mail backups, due to the fact I own
an other copy of them in an other desktop PC.
I launched again Kaspersky and it found no viruses in the entire disk.

Can I be tranquill now? I wait your confirmation.

I ask you a question: what is the difference between the Kaspersky
on-line scan and my resident Avast program?
Is Avast less efficient than Kaspersky scan or can I be safe
with Avast too?

Ok, I wait your next answer.

Bye, spillo9.

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:18 PM

Posted 13 November 2006 - 03:27 PM

Hey spillo9.

Good to hear that the latest Kaspersky log is clean.
I'm confident that you can now relax, the computer should be fine.
The difference between Avast resident AV and Kaspersky online scan is a big one.
A resident AV is downloaded and installed on your PC, whilst the online scan is accessed online.
The resident AV checks files coming in and out the whole time.
The online scan simply checks files against malware signatures, and flags them if bad.

It's important to have a resident AV running at all times, and replying on online scans will not suffice.
Without anything stopping the files being downloaded, the computer will get infected again.
Although an Avast scan may have come up clean, I have no doubt it helped stop some of the malware.
It is a good AV and you should have confidence in it.
You are safe with Avast, as long as you keep it updated.

How is the PC running, I see clean logs here :thumbsup:

#11 spillo9

spillo9
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 14 November 2006 - 12:58 PM

Hello David, many thanks for your
kindness and preparation.

Bye bye, spillo9.

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:18 PM

Posted 18 November 2006 - 05:50 PM

Glad I could help! :thumbsup:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David

#13 spillo9

spillo9
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 01 December 2006 - 05:15 PM

Hello David, I prefer to continue talking in this topic
so I'm sure YOU can answer to me.

I have an other little problem I cannot solve.

I set up my Windows XP in order to make automatic updates,
you surely know the yellow icon in the sistem tray.
Until now, I made all the Windows update without problems.
After I make an update, I am asked to reboot the PC
and everything is OK.

I notice a problem with a particular update, which is named
KB923980.

When I launch the update, it seems that all is OK, but,
when the install has finished, straight after, it reappears
always the yellow icon in the sistem tray proposing me
to reinstall this update.
So, I have problems with this particular update.
The strange thing: when the update finishes, it doesn't
ask me to reboot the PC, but it tells me all is OK, even
though it's not.

What can I do?

Many thanks, spillo9.

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:18 PM

Posted 02 December 2006 - 04:21 AM

Sorry it's taken a while to get back to you, but it took a long time to find a working solution.
I found this fix on a Microsoft newsgroup page, but I can't seem to copy and paste the direct link.
Whenever I paste the link, it redirects you to the main page, which will be of no use to you.
Thanks to the Microsoft team for this fix.
I've fleshed out the instructions to make it a bit more user friendly:

Uninstall the failed update from Add/Remove Programs in the Control
Panel. Next, show hidden files, folders, and system files :
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Navigate to the C:\WINDOWS\"system32" folder.
Right click on Nwapi32.dll and rename it to Nwapi32.old
If you cannot find this file, let me know before continuing.

Download the update manually from -
http://www.microsoft.com/downloads/details...a2-e4dbfc050667

Save it, close the browser, install it, and restart the system.
Revisit Windows/Microsoft Update to see if it's offered.
The files updated for XP SP2 are -
Nwapi32.dll, Nwprovau.dll, Nwwks.dll, Nwrdr.sys

They should all be at version 5.1.2600.3015
The .dll files are located in C:\WINDOWS\system32
The .sys is located in C:\WINDOWS\system32\drivers
Right click the files, choose Properties, then click the Version tab to
confirm that the correct files are present.

To confirm the correct versions are present in Win 2K and Windows Server 2003, go here :
http://www.microsoft.com/technet/security/...n/MS06-066.mspx
Click the plus sign next to Security Update Information to view them.

#15 spillo9

spillo9
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:18 PM

Posted 13 December 2006 - 12:00 PM

Hello David, I thank you so much for your help,
I think I solved my problem.

I only make 2 precisations, maybe they can be useful to you.

1) When I had to uninstall the update KB923980,
it wasn't showed in the "Add/remove Programs", but
I manually unistalled it watching in the following directory:
C:\Windows\$NtUninstallKB923980$

2) When I finished the procedure, the files you indicated:
Nwapi32.dll, Nwprovau.dll, Nwwks.dll, Nwrdr.sys,
are not present in the directories you told me,
but they are all in the directory:
C:\Windows\$hf_mig$\KB923980\SP2QFE.
Don't ask me why :-))
but, anyway, I think it's all OK.

I thank you again and, if I don't have further problems
until New Day, I wish you a Merry Christmas.

Bye bye, spillo9.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users